Overview, page 1 How Proxy Mobile IP Works in 3GPP Network, page 10
|
|
- Sarah Barton
- 6 years ago
- Views:
Transcription
1 This chapter describes system support for Proxy Mobile IP and explains how it is configured. The product administration guides provide examples and procedures for configuration of basic services on the system. It is recommended that you select the configuration example that best meets your service model before using the procedures in this chapter. Proxy Mobile IP provides a mobility solution for subscribers with mobile nodes (MNs) capable of supporting only Simple IP. This chapter includes the following sections: Overview, page 1 How Proxy Mobile IP Works in 3GPP2 Network, page 4 How Proxy Mobile IP Works in 3GPP Network, page 10 How Proxy Mobile IP Works in WiMAX Network, page 14 How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication, page 19 Configuring Proxy Mobile-IP Support, page 24 Overview Proxy Mobile IP provides mobility for subscribers with MNs that do not support the Mobile IP protocol stack. Important Proxy Mobile IP is a licensed Cisco feature. A separate feature license may be required. Contact your Cisco account representative for detailed information on specific licensing requirements. For information on installing and verifying licenses, refer to the Managing License Keys section of the Software Management Operations chapter in the System Administration Guide. The Proxy Mobile IP feature is supported for various products. The following table indicates the products on which the feature is supported and the relevant sections within the chapter that pertain to that product. 1
2 Overview Table 1: Applicable Products and Relevant Sections Applicable Product(s) PDSN Refer to Sections Proxy Mobile IP in 3GPP2 Service, on page 3 How Proxy Mobile IP Works in 3GPP2 Network, on page 4 Configuring FA Services, on page 24 Configuring Proxy MIP HA Failover, on page 26 Configuring HA Services Configuring Subscriber Profile RADIUS Attributes, on page 26 RADIUS Attributes Required for Proxy Mobile IP, on page 27 Configuring Local Subscriber Profiles for Proxy-MIP on a PDSN, on page 28 Configuring Default Subscriber Parameters in Home Agent Context, on page 29 GGSN Proxy Mobile IP in 3GPP Service, on page 3 How Proxy Mobile IP Works in 3GPP Network, on page 10 Configuring FA Services, on page 24 Configuring Proxy MIP HA Failover, on page 26 Configuring HA Services Configuring Subscriber Profile RADIUS Attributes, on page 26 RADIUS Attributes Required for Proxy Mobile IP, on page 27 Configuring Default Subscriber Parameters in Home Agent Context, on page 29 Configuring APN Parameters, on page 29 ASN GW Proxy Mobile IP in WiMAX Service, on page 4 How Proxy Mobile IP Works in WiMAX Network, on page 14 Configuring FA Services, on page 24 Configuring Proxy MIP HA Failover, on page 26 Configuring HA Services Configuring Subscriber Profile RADIUS Attributes, on page 26 RADIUS Attributes Required for Proxy Mobile IP, on page 27 Configuring Default Subscriber Parameters in Home Agent Context, on page 29 2
3 Proxy Mobile IP in 3GPP2 Service Applicable Product(s) PDIF Refer to Sections How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication, on page 19 Configuring FA Services, on page 24 Configuring Proxy MIP HA Failover, on page 26 Configuring HA Services Configuring Subscriber Profile RADIUS Attributes, on page 26 RADIUS Attributes Required for Proxy Mobile IP, on page 27 Configuring Default Subscriber Parameters in Home Agent Context, on page 29 Proxy Mobile IP in 3GPP2 Service For subscriber sessions using Proxy Mobile IP, R-P and PPP sessions get established between the MN and the PDSN as they would for a Simple IP session. However, the PDSN/FA performs Mobile IP operations with an HA (identified by information stored in the subscriber's profile) on behalf of the MN (i.e. the MN is only responsible for maintaining the Simple IP PPP session with PDSN). The MN is assigned an IP address by either the PDSN/FA or the HA. Regardless of its source, the address is stored in a mobile binding record (MBR) stored on the HA. Therefore, as the MN roams through the service provider's network, each time a hand-off occurs, the MN will continue to use the same IP address stored in the MBR on the HA. Note that unlike Mobile IP-capable MNs that can perform multiple sessions over a single PPP link, Proxy Mobile IP allows only a single session over the PPP link. In addition, simultaneous Mobile and Simple IP sessions will not be supported for an MN by the FA that is currently facilitating a Proxy Mobile IP session for the MN. The MN is assigned an IP address by either the HA, a AAA server, or on a static-basis. The address is stored in a mobile binding record (MBR) stored on the HA. Therefore, as the MN roams through the service provider's network, each time a hand-off occurs, the MN will continue to use the same IP address stored in the MBR on the HA. Proxy Mobile IP in 3GPP Service For IP PDP contexts using Proxy Mobile IP, the MN establishes a session with the GGSN as it normally would. However, the GGSN/FA performs Mobile IP operations with an HA (identified by information stored in the subscriber's profile) on behalf of the MN (i.e. the MN is only responsible for maintaining the IP PDP context with the GGSN, no Agent Advertisement messages are communicated with the MN). The MN is assigned an IP address by either the HA, a AAA server, or on a static-basis. The address is stored in a mobile binding record (MBR) stored on the HA. Therefore, as the MN roams through the service provider's network, each time a hand-off occurs, the MN will continue to use the same IP address stored in the MBR on the HA. 3
4 Proxy Mobile IP in WiMAX Service Proxy Mobile IP can be performed on a per-subscriber basis based on information contained in their user profile, or for all subscribers facilitated by a specific APN. In the case of non-transparent IP PDP contexts, attributes returned from the subscriber's profile take precedence over the configuration of the APN. Proxy Mobile IP in WiMAX Service For subscriber sessions using Proxy Mobile subscriber sessions get established between the MN and the ASN GW as they would for a Simple IP session. However, the ASN GW/FA performs Mobile IP operations with an HA (identified by information stored in the subscriber's profile) on behalf of the MN (i.e. the MN is only responsible for maintaining the Simple IP subscriber session with ASN GW). The MN is assigned an IP address by either the ASN GW/FA or the HA. Regardless of its source, the address is stored in a mobile binding record (MBR) stored on the HA. Therefore, as the MN roams through the service provider's network, each time a hand-off occurs, the MN will continue to use the same IP address stored in the MBR on the HA. Note that unlike Mobile IP-capable MNs that can perform multiple sessions over a single session link, Proxy Mobile IP allows only a single session over the session link. In addition, simultaneous Mobile and Simple IP sessions will not be supported for an MN by the FA that is currently facilitating a Proxy Mobile IP session for the MN. How Proxy Mobile IP Works in 3GPP2 Network This section contains call flows displaying successful Proxy Mobile IP session setup scenarios. There are multiple scenarios that are dependant on how the MN receives an IP address. The following scenarios are described: Scenario 1: The AAA server that authenticates the MN at the PDSN allocates an IP address to the MN. Note that the PDSN does not allocate an address from its IP pools. Scenario 2: The HA assigns an IP address to the MN from one of its locally configured dynamic pools. 4
5 Scenario 1: AAA server and PDSN/FA Allocate IP Address Scenario 1: AAA server and PDSN/FA Allocate IP Address The following figure and table display and describe a call flow in which the MN receives its IP address from the AAA server and PDSN/FA. Figure 1: AAA/PDSN Assigned IP Address Proxy Mobile IP Call Flow 5
6 Scenario 1: AAA server and PDSN/FA Allocate IP Address Table 2: AAA/PDSN Assigned IP Address Proxy Mobile IP Call Flow Mobile Node (MN) secures a traffic channel over the airlink with the RAN through the BSC/PCF. The PCF and PDSN/FA establish the R-P interface for the session. The PDSN/FA and MN negotiate Link Control Protocol (LCP). Upon successful LCP negotiation, the MN sends a PPP Authentication Request message to the PDSN/FA. The PDSN/FA sends an Access Request message to the RADIUS AAA server. The RADIUS AAA server successfully authenticates the subscriber and returns an Access Accept message to the PDSN/FA. The Accept message may contain various attributes to be assigned to the MN including the MN's Home Address (IP address) and the IP address of the HA to use. The PDSN/FA sends a PPP Authentication Response message to the MN. The MN sends an Internet Protocol Control Protocol (IPCP) Configuration Request message to the PDSN/FA with an MN address of The PDSN/FA forwards a Proxy Mobile IP Registration Request message to the HA. The message includes fields such as the MN's home address, the IP address of the FA (the care-of-address), and the FA-HA extension (security parameter index (SPI)). While the FA is communicating with the HA, the MN may send additional IPCP Configuration Request messages. The HA responds with a Proxy Mobile IP Registration Response after validating the home address against it's pool. The HA also creates a mobile binding record (MBR) for the subscriber session. The MN and the PDSN/FA negotiate IPCP. The result is that the MN is assigned the home address originally specified by the AAA server. While the MN and PDSN/FA are negotiating IPCP, the HA and AAA server initiate accounting. Upon completion of the IPCP negotiation, the PDSN/FA and AAA server initiate accounting fully establishing the session allowing the MN to send/receive data to/from the PDN. Upon completion of the session, the MN sends an LCP Terminate Request message to the PDSN to end the PPP session. The PDSN/FA sends a Proxy Mobile IP De-registration Request message to the HA. The PDSN/FA send an LCP Terminate Acknowledge message to the MN ending the PPP session. 6
7 Scenario 1: AAA server and PDSN/FA Allocate IP Address The HA sends a Proxy Mobile IP De-Registration Response message to the FA terminating the Pi interface The PDSN/FA and the PCF terminate the R-P session. The HA and the AAA server stop accounting for the session. The PDSN and the AAA server stop accounting for the session. 7
8 Scenario 2: HA Allocates IP Address Scenario 2: HA Allocates IP Address The following figure and table display and describe a call flow in which the MN receives its IP address from the HA. Figure 2: HA Assigned IP Address Proxy Mobile IP Call Flow Table 3: HA Assigned IP Address Proxy Mobile IP Call Flow 1 Mobile Node (MN) secures a traffic channel over the airlink with the RAN through the BSC/PCF. 8
9 Scenario 2: HA Allocates IP Address The PCF and PDSN/FA establish the R-P interface for the session. The PDSN/FA and MN negotiate Link Control Protocol (LCP). Upon successful LCP negotiation, the MN sends a PPP Authentication Request message to the PDSN/FA. The PDSN/FA sends an Access Request message to the RADIUS AAA server. The RADIUS AAA server successfully authenticates the subscriber and returns an Access Accept message to the PDSN/FA. The Accept message may contain various attributes to be assigned to the MN including the IP address of the HA to use. The PDSN/FA sends a PPP Authentication Response message to the MN. The MN sends an Internet Protocol Control Protocol (IPCP) Configuration Request message to the PDSN/FA with an MN address of The PDSN/FA forwards a Proxy Mobile IP Registration Request message to the HA. The message includes fields such as a Home Address indicator of , the IP address of the FA (the care-of-address), the IP address of the FA (the care-of-address), and the FA-HA extension (security parameter index (SPI)). While the FA is communicating with the HA, the MN may send additional IPCP Configuration Request messages. The HA responds with a Proxy Mobile IP Registration Response. The response includes an IP address from one of its locally configured pools to assign to the MN (its Home Address). The HA also creates a mobile binding record (MBR) for the subscriber session. The MN and the PDSN/FA negotiate IPCP. The result is that the MN is assigned the home address originally specified by the AAA server. While the MN and PDSN/FA are negotiating IPCP, the HA and AAA server initiate accounting. Upon completion of the IPCP negotiation, the PDSN/FA and AAA server initiate accounting fully establishing the session allowing the MN to send/receive data to/from the PDN. Upon completion of the session, the MN sends an LCP Terminate Request message to the PDSN to end the PPP session. The PDSN/FA sends a Proxy Mobile IP De-registration Request message to the HA. The PDSN/FA send an LCP Terminate Acknowledge message to the MN ending the PPP session. The HA sends a Proxy Mobile IP De-Registration Response message to the FA terminating the Pi interface 9
10 How Proxy Mobile IP Works in 3GPP Network The PDSN/FA and the PCF terminate the R-P session. The HA and the AAA server stop accounting for the session. The PDSN and the AAA server stop accounting for the session. How Proxy Mobile IP Works in 3GPP Network This section contains call flows displaying successful Proxy Mobile IP session setup scenarios in 3GPP network. 10
11 How Proxy Mobile IP Works in 3GPP Network The following figure and the text that follows describe a a sample successful Proxy Mobile IP session setup call flow in 3GGP service. Figure 3: Proxy Mobile IP Call Flow in 3GPP Table 4: Proxy Mobile IP Call Flow in 3GPP 1 The mobile station (MS) goes through the process of attaching itself to the GPRS/UMTS network. 11
12 How Proxy Mobile IP Works in 3GPP Network The terminal equipment (TE) aspect of the MS sends AT commands to the mobile terminal (MT) aspect of the MS to place it into PPP mode. The Link Control Protocol (LCP is then used to configure the Maximum-Receive Unit size and the authentication protocol (Challenge-Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), or none). If CHAP or PAP is used, the TE will authenticate itself to the MT, which, in turn, stores the authentication information. Upon successful authentication, the TE sends an Internet Protocol Control Protocol (IPCP) Configure-Request message to the MT. The message will either contain a static IP address to use or request that one be dynamically assigned. The MS sends an Activate PDP Context Request message that is received by an SGSN. The message contains information about the subscriber such as the Network layer Service Access Point Identifier (NSAPI), PDP Type, PDP Address, Access Point Name (APN), quality of service (QoS) requested, and PDP configuration options. The SGSN authenticates the request message and sends a Create PDP Context Request message to a GGSN using the GPRS Tunneling Protocol (GTPC, "C" indicates the control signalling aspect of the protocol). The recipient GGSN is selected based on either the request of the MS or is automatically selected by the SGSN. The message consists of various information elements including: PDP Type, PDP Address, APN, charging characteristics, and tunnel endpoint identifier (TEID, if the PDP Address was static). The GGSN determines if it can facilitate the session (in terms of memory or CPU resources, configuration, etc.) and creates a new entry in its PDP context list and provides a Charging ID for the session. From the APN specified in the message, the GGSN determines whether or not the subscriber is to be authenticated, if Proxy Mobile IP is to be supported for the subscriber, and if so, the IP address of the HA to contact. Note that Proxy Mobile IP support can also be determined by attributes in the user's profile. Attributes in the user's profile supersede APN settings. If authentication is required, the GGSN attempts to authenticate the subscriber locally against profiles stored in memory or send a RADIUS Access-Request message to a AAA server. If the GGSN authenticated the subscriber to a AAA server, the AAA server responds with a RADIUS Access-Accept message indicating successful authentication and any attributes for handling the subscriber PDP context. If Proxy Mobile IP support was either enabled in the APN or in the subscriber's profile, the GGSN/FA forwards a Proxy Mobile IP Registration Request message to the specified HA. The message includes such things as the MS's home address, the IP address of the FA (the care-of-address), and the FA-HA extension (security parameter index (SPI)). The HA responds with a Proxy Mobile IP Registration Response. The response includes an IP address from one of its locally configured pools to assign to the MS (its Home Address). The HA also creates a mobile binding record (MBR) for the subscriber session. 12
13 How Proxy Mobile IP Works in 3GPP Network The HA sends an RADIUS Accounting Start request to the AAA server which the AAA server responds to. The GGSN replies with an affirmative Create PDP Context Response using GTPC. The response will contain information elements such as the PDP Address representing either the static address requested by the MS or the address assigned by the GGSN, the TEID used to reference PDP Address, and PDP configuration options specified by the GGSN. The SGSN returns an Activate PDP Context Accept message to the MS. The message includes response to the configuration parameters sent in the initial request. The MT, will respond to the TE's IPCP Config-request with an IPCP Config-Ack message. The MS can now send and receive data to or from the PDN until the session is closed or times out. Note that for Mobile IP, only one PDP context is supported for the MS. The FA periodically sends Proxy Mobile IP Registration Request Renewal messages to the HA. The HA sends responses for each request. The MS can terminate the data session at any time. To terminate the session, the MS sends a Deactivate PDP Context Request message that is received by the SGSN. The SGSN sends a Delete PDP Context Request message to the GGSN facilitating the data session. The message includes the information elements necessary to identify the PDP context (i.e., TEID, and NSAPI). The GGSN removes the PDP context from memory and the FA sends a Proxy Mobile IP Deregistration Request message to the HA. The GGSN returns a Delete PDP Context Response message to the SGSN. The HA replies to the FA with a Proxy Mobile IP Deregistration Request Response. The HA sends an RADIUS Accounting Stop request to the AAA server which the AAA server responds to. The SGSN returns a Deactivate PDP Context Accept message to the MS. The GGSN delivers the GGSN Charging Detail Records (G-CDRs) to a charging gateway (CG) using GTP Prime (GTPP). Note that, though not shown in this example, the GGSN could optionally be configured to send partial CDRs while the PDP context is active. For each accounting message received from the GGSN, the CG responds with an acknowledgement. 13
14 How Proxy Mobile IP Works in WiMAX Network How Proxy Mobile IP Works in WiMAX Network This section contains call flows displaying successful Proxy Mobile IP session setup scenarios. There are multiple scenarios that are dependant on how the MN receives an IP address. The following scenarios are described: Scenario 1: The AAA server that authenticates the MN at the ASN GW allocates an IP address to the MN. Note that the ASN GW does not allocate an address from its IP pools. Scenario 2: The HA assigns an IP address to the MN from one of its locally configured dynamic pools. 14
15 Scenario 1: AAA server and ASN GW/FA Allocate IP Address Scenario 1: AAA server and ASN GW/FA Allocate IP Address The following figure and table display and describe a call flow in which the MN receives its IP address from the AAA server and ASN GW/FA. Figure 4: AAA/ASN GW Assigned IP Address Proxy Mobile IP Call Flow Table 5: AAA/ASN GW Assigned IP Address Proxy Mobile IP Call Flow 1 Mobile Node (MN) secures a traffic channel over the airlink with the BS. 15
16 Scenario 1: AAA server and ASN GW/FA Allocate IP Address The BS and ASN GW/FA establish the R6 interface for the session. The ASN GW/FA and MN negotiate Link Control Protocol (LCP). Upon successful LCP negotiation, the MN sends a PPP Authentication Request message to the ASN GW/FA. The ASN GW/FA sends an Access Request message to the RADIUS AAA server. The RADIUS AAA server successfully authenticates the subscriber and returns an Access Accept message to the ASN GW/FA. The Accept message may contain various attributes to be assigned to the MN including the MN's Home Address (IP address) and the IP address of the HA to use. The ASN GW/FA sends a EAP Authentication Response message to the MN. The MN sends an Internet Protocol Control Protocol (IPCP) Configuration Request message to the ASN GW/FA with an MN address of The ASN GW/FA forwards a Proxy Mobile IP Registration Request message to the HA. The message includes fields such as the MN's home address, the IP address of the FA (the care-of-address), and the FA-HA extension (security parameter index (SPI)). While the FA is communicating with the HA, the MN may send additional IPCP Configuration Request messages. The HA responds with a Proxy Mobile IP Registration Response after validating the home address against it's pool. The HA also creates a mobile binding record (MBR) for the subscriber session. The MN and the ASN GW/FA negotiate IPCP. The result is that the MN is assigned the home address originally specified by the AAA server. While the MN and ASN GW/FA are negotiating IPCP, the HA and AAA server initiate accounting. Upon completion of the IPCP negotiation, the ASN GW/FA and AAA server initiate accounting fully establishing the session allowing the MN to send/receive data to/from the PDN. Upon completion of the session, the MN sends an LCP Terminate Request message to the ASN GW to end the subscriber session. The PDSN/FA sends a Proxy Mobile IP De-registration Request message to the HA. The ASN GW/FA send an LCP Terminate Acknowledge message to the MN ending the subscriber session. The HA sends a Proxy Mobile IP De-Registration Response message to the FA terminating the R3 interface The ASN GW/FA and the BS terminate the R6 session. 16
17 Scenario 2: HA Allocates IP Address The HA and the AAA server stop accounting for the session. The ASN GW and the AAA server stop accounting for the session. Scenario 2: HA Allocates IP Address The following figure and table display and describe a call flow in which the MN receives its IP address from the HA. Figure 5: HA Assigned IP Address Proxy Mobile IP Call Flow 17
18 Scenario 2: HA Allocates IP Address Table 6: HA Assigned IP Address Proxy Mobile IP Call Flow Mobile Node (MN) secures a traffic channel over the airlink with the BS. The BS and ASN GW/FA establish the R6 interface for the session. The ASN GW/FA and MN negotiate Link Control Protocol (LCP). Upon successful LCP negotiation, the MN sends an EAP Authentication Request message to the ASN GW/FA. The ASN GW/FA sends an Access Request message to the RADIUS AAA server. The RADIUS AAA server successfully authenticates the subscriber and returns an Access Accept message to the ASN GW/FA. The Accept message may contain various attributes to be assigned to the MN including the IP address of the HA to use. The ASN GW/FA sends an EAP Authentication Response message to the MN. The MN sends an Internet Protocol Control Protocol (IPCP) Configuration Request message to the ASN GW/FA with an MN address of The ASN GW/FA forwards a Proxy Mobile IP Registration Request message to the HA. The message includes fields such as a Home Address indicator of , the IP address of the FA (the care-of-address), the IP address of the FA (the care-of-address), and the FA-HA extension (security parameter index (SPI)). While the FA is communicating with the HA, the MN may send additional IPCP Configuration Request messages. The HA responds with a Proxy Mobile IP Registration Response. The response includes an IP address from one of its locally configured pools to assign to the MN (its Home Address). The HA also creates a mobile binding record (MBR) for the subscriber session. The MN and the ASN GW/FA negotiate IPCP. The result is that the MN is assigned the home address originally specified by the AAA server. While the MN and ASN GW/FA are negotiating IPCP, the HA and AAA server initiate accounting. Upon completion of the IPCP negotiation, the ASN GW/FA and AAA server initiate accounting fully establishing the session allowing the MN to send/receive data to/from the PDN. Upon completion of the session, the MN sends an LCP Terminate Request message to the ASN GW to end the subscriber session. The ASN GW/FA sends a Proxy Mobile IP De-registration Request message to the HA. The ASN GW/FA send an LCP Terminate Acknowledge message to the MN ending the PPP session. 18
19 How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication The HA sends a Proxy Mobile IP De-Registration Response message to the FA terminating the R3 interface The ASN GW/FA and the BS terminate the R6 session. The HA and the AAA server stop accounting for the session. The ASN GW and the AAA server stop accounting for the session. How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication was developed as a result of networks of Mobile Subscribers (MS) that are not capable of Mobile IP operation. In this scenario a PDIF acts a mobile IP client and thus implements Proxy-MIP support. Although not required or necessary in a Proxy-MIP network, this implementation uses a technique called Multiple Authentication. In Multi-Auth arrangements, the device is authenticated first using HSS servers. Once the device is authenticated, then the subscriber is authenticated over a RADIUS interface to AAA servers. This supports existing EV-DO servers in the network. The MS first tries to establish an IKEv2 session with the PDIF. The MS uses the EAP-AKA authentication method for the initial device authentication using Diameter over SCTP over IPv6 to communicate with HSS servers. After the initial Diameter EAP authentication, the MS continues with EAP MD5/GTC authentication. After successful device authentication, PDIF then uses RADIUS to communicate with AAA servers for the subscriber authentication. It is assumed that RADIUS AAA servers do not use EAP methods and hence RADIUS messages do not contain any EAP attributes. Assuming a successful RADIUS authentication, PDIF then sets up the IPSec Child SA tunnel using a Tunnel Inner Address (TIA) for passing control traffic only. PDIF receives the MS address from the Home Agent, and passes it on to the MS through the final AUTH response in the IKEv2 exchange. When IPSec negotiation finishes, the PDIF assigns a home address to the MS and establishes a CHILD SA to pass data. The initial TIA tunnel is torn down and the IP address returned to the address pool.the PDIF then generates a RADIUS accounting START message. When the session is disconnected, the PDIF generates a RADIUS accounting STOP message. 19
20 How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication The following figures describe a Proxy-MIP session setup using CHAP authentication (EAP-MD5), but also addresses a PAP authentication setup using EAP-GTC when EAP-MD5 is not supported by either PDIF or MS. Figure 6: Proxy-MIP Call Setup using CHAP Authentication Table 7: Proxy-MIP Call Setup using CHAP Authentication 1 2 On connecting to WiFi network, MS first send DNS query to get PDIF IP address MS receives PDIF address from DNS 20
21 How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication MS sets up IKEv2/IPSec tunnel by sending IKE_SA_INIT Request to PDIF. MS includes SA, KE, Ni, NAT-DETECTION Notify payloads in the IKEv2 exchange. PDIF processes the IKE_SA_INIT Request for the appropriate PDIF service (bound by the destination IP address in the IKEv2 INIT request). PDIF responds with IKE_SA_INIT Response with SA, KE, Nr payloads and NAT-Detection Notify payloads. If multiple-authentication support is configured to be enabled in the PDIF service, PDIF will include MULTIPLE_AUTH_SUPPORTED Notify payload in the IKE_SA_INIT Response. PDIF will start the IKEv2 setup timer after sending the IKE_SA_INIT Response. On receiving successful IKE_SA_INIT Response from PDIF, MS sends IKE_ AUTH Request for the first EAP-AKA authentication. If the MS is capable of doing multiple-authentication, it will include MULTI_AUTH_SUPPORTED Notify payload in the IKE_AUTH Request. MS also includes IDi payload which contains the NAI, SA, TSi, TSr, CP (requesting IP address and DNS address) payloads. MS will not include AUTH payload to indicate that it will use EAP methods. On receiving IKE_AUTH Request from MS, PDIF sends DER message to Diameter AAA server. AAA servers are selected based on domain profile, default subscriber template or default domain configurations. PDIF includes Multiple-Auth-Support AVP, EAP-Payload AVP with EAP-Response/Identity in the DER. Exact details are explained in the Diameter message sections. PDIF starts the session setup timer on receiving IKE_AUTH Request from MS. PDIF receives DEA with Result-Code AVP specifying to continue EAP authentication. PDIF takes EAP-Payload AVP contents and sends IKE_ AUTH Response back to MS in the EAP payload. PDIF allows IDr and CERT configurations in the PDIF service and optionally includes IDr and CERT payloads (depending upon the configuration). PDIF optionally includes AUTH payload in IKE_AUTH Response if PDIF service is configured to do so. MS receives the IKE_AUTH Response from PDIF. MS processes the exchange and sends a new IKE_AUTH Request with EAP payload. PDIF receives the new IKE_AUTH Request from MS and sends DER to AAA server. This DER message contains the EAP-Payload AVP with EAP-AKA challenge response and challenge received from MS. The AAA server sends the DEA back to the PDIF with Result-Code AVP as "success." The EAP-Payload AVP message also contains the EAP result code with "success." The DEA also contains the IMSI for the user, which is included in the Callback-Id AVP. PDIF uses this IMSI for all subsequent session management functions such as duplicate session detection etc. PDIF also receives the MSK from AAA, which is used for further key computation. PDIF sends the IKE_AUTH Response back to MS with the EAP payload. MS sends the final IKE_AUTH Request for the first authentication with the AUTH payload computed from the keys. If the MS plans to do the second authentication, it will include ANOTHER_AUTH_FOLLOWS Notify payload also. 21
22 How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication PDIF processes the AUTH request and responds with the IKE_AUTH Response with the AUTH payload computed from the MSK. PDIF does not assign any IP address for the MS pending second authentication. Nor will the PDIF include any configuration payloads. a. If PDIF service does not support Multiple-Authentication and ANOTHER_AUTH_FOLLOWS Notify payload is received, then PDIF sends IKE_AUTH Response with appropriate error and terminate the IKEv2 session by sending INFORMATIONAL (Delete) Request.b. If ANOTHER_AUTH_FOLLOWS Notify payload is not present in the IKE_AUTH Request, PDIF allocates the IP address from the locally configured pools. However, if proxy-mip-required is enabled, then PDIF initiates Proxy-MIP setup to HA by sending P-MIP RRQ. When PDIF receives the Proxy-MIP RRP, it takes the Home Address (and DNS addresses if any) and sends the IKE_AUTH Response back to MS by including CP payload with Home Address and DNS addresses. In either case, IKEv2 setup will finish at this stage and IPSec tunnel gets established with a Tunnel Inner Address (TIA). MS does the second authentication by sending the IKE_AUTH Request with IDi payload to include the NAI. This NAI may be completely different from the NAI used in the first authentication. On receiving the second authentication IKE_AUTH Request, PDIF checks the configured second authentication methods. The second authentication may be either EAP-MD5 (default) or EAP-GTC. The EAP methods may be either EAP-Passthru or EAP-Terminated. a. If the configured method is EAP-MD5, PDIF sends the IKE_AUTH Response with EAP payload including challenge.b. If the configured method is EAP-GTC, PDIF sends the IKE_AUTH Response with EAP-GTC.c. MS processes the IKE_AUTH Response: If the MS supports EAP-MD5, and the received method is EAP-MD5, then the MS will take the challenge, compute the response and send IKE_AUTH Request with EAP payload including Challenge and Response. If the MS does not support EAP-MD5, but EAP-GTC, and the received method is EAP-MD5, the MS sends legacy-nak with EAP-GTC. 15(a) 15(b) PDIF receives the new IKE_AUTH Request from MS. If the original method was EAP-MD5 and MD5 challenge and response is received, PDIF sends RADIUS Access Request with corresponding attributes (Challenge, Challenge Response, NAI, IMSI etc.). If the original method was EAP-MD5 and legacy-nak was received with GTC, the PDIF sends IKE_AUTH Response with EAP-GTC. PDIF receives Access Accept from RADIUS and sends IKE_AUTH Response with EAP success. PDIF receives the final IKE_AUTH Request with AUTH payload. PDIF checks the validity of the AUTH payload and initiates Proxy-MIP setup request to the Home Agent if proxy-mip-required is enabled. The HA address may be received from the RADIUS server in the Access Accept ( 16) or may be locally configured. PDIF may also remember the HA address from the first authentication received in the final DEA message. 22
23 How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication If proxy-mip-required is disabled, PDIF assigns the IP address from the local pool. PDIF received proxy-mip RRP and gets the IP address and DNS addresses. PDIF sets up the IPSec tunnel with the home address. On receiving the IKE_AUTH Response MS also sets up the IPSec tunnel using the received IP address. PDIF sends the IKE_AUTH Response back to MS by including the CP payload with the IP address and optionally the DNS addresses. This completes the setup. PDIF sends a RADIUS Accounting start message. Important For Proxy-MIP call setup using PAP, the first 14 steps are the same as for CHAP authentication. However, here they deviate because the MS does not support EAP-MD5 authentication, but EAP-GTC. In response to the EAP-MD5 challenge, the MS instead responds with legacy-nak with EAP-GTC. The diagram below picks up at this point. Figure 7: Proxy-MIP Call Setup using PAP Authentication Table 8: Proxy-MIP Call Setup using PAP Authentication MS is not capable of CHAP authentication but PAP authentication, and the MS returns the EAP payload to indicate that it needs EAP-GTC authentication. PDIF then initiates EAP-GTC procedure, and requests a password from MS. MS includes an authentication password in the EAP payload to PDIF. 23
24 Configuring Proxy Mobile-IP Support Upon receipt of the password, PDIF sends a RADIUS Access Request which includes NAI in the User-Name attribute and PAP-password. Upon successful authentication, the AAA server returns a RADIUS Access Accept message, which may include Framed-IP-Address attribute. The attribute content in the Access Accept message is encoded as EAP payload with EAP success when PDIF sends the IKE_AUTH Response to the MS. The MS and PDIF now have a secure IPSec tunnel for communication. Pdif sends an Accounting START message. Configuring Proxy Mobile-IP Support Support for Proxy Mobile-IP requires that the following configurations be made: Important Not all commands and keywords/variables may be supported. This depends on the platform type and the installed license(s). FA service(s): Proxy Mobile IP must be enabled, operation parameters must be configured, and FA-HA security associations must be specified. HA service(s): FA-HA security associations must be specified. Subscriber profile(s): Attributes must be configured to allow the subscriber(s) to use Proxy Mobile IP. These attributes can be configured in subscriber profiles stored locally on the system or remotely on a RADIUS AAA server. APN template(s): Proxy Mobile IP can be supported for every subscriber IP PDP context facilitated by a specific APN template based on the configuration of the APN. Important These instructions assume that the system was previously configured to support subscriber data sessions as a core network service and/or an HA according to the instructions described in the respective product administration guide. Configuring FA Services Use this example to configure an FA service to support Proxy Mobile IP: configure context <context_name> fa-service <fa_service_name> 24
25 Verify the FA Service Configuration proxy-mip allow proxy-mip max-retransmissions <integer> proxy-mip retransmission-timeout <seconds> proxy-mip renew-percent-time percentage fa-ha-spi remote-address { ha_ip_address ip_addr_mask_combo } spi-number number { encrypted secret enc_secret secret secret } [ description string ][ hash-algorithm { hmac-md5 md5 rfc2002-md5 } replay-protection { timestamp nonce } timestamp-tolerance tolerance ] authentication mn-ha allow-noauth end Notes: The proxy-mip max-retransmissions command configures the maximum number re-try attempts that the FA service is allowed to make when sending Proxy Mobile IP Registration Requests to the HA. proxy-mip retransmission-timeout configures the maximum amount of time allowed by the FA for a response from the HA before re-sending a Proxy Mobile IP Registration Request message. proxy-mip renew-percent-time configures the amount of time that must pass prior to the FA sending a Proxy Mobile IP Registration Renewal Request. Example If the advertisement registration lifetime configured for the FA service is 900 seconds and the renew-time is configured to 50, then the FA requests a lifetime of 900 seconds in the Proxy MIP registration request. If the HA grants a lifetime of 600 seconds, then the FA sends the Proxy Mobile IP Registration Renewal Request message after 300 seconds have passed. Use the fa-ha-spi remote-addresscommand to modify configured FA-HA SPIs to support Proxy Mobile IP. Refer to the Command Line Interface Reference for the full command syntax. Important Note that FA-HA SPIs must be configured for the Proxy-MIP feature to work, while it is optional for regular MIP. Use the authentication mn-ha allow-noauth command to configure the FA service to allow communications from the HA without authenticating the HA. Verify the FA Service Configuration Use the following command to verify the configuration of the FA service: show fa-service name <fa_service_name> Notes: Repeat this example as needed to configure additional FA services to support Proxy-MIP. Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference. Proceed to the optional Configuring Proxy MIP HA Failover, on page 26 to configure Proxy MIP HA Failover support or skip to the Configuring HA Services to configure HA service support for Proxy Mobile IP. 25
26 Configuring Proxy MIP HA Failover Configuring Proxy MIP HA Failover Use this example to configure Proxy Mobile IP HA Failover: Important This configuration in this section is optional. When configured, Proxy MIP HA Failover provides a mechanism to use a specified alternate Home Agent for the subscriber session when the primary HA is not available. Use the following configuration example to configure the Proxy MIP HA Failover: configure context <context_name> fa-service <fa_service_name> proxy-mip ha-failover [ max-attempts <max_attempts> num-attempts-before-switching <num_attempts> timeout <seconds> ] Notes: Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference. Configuring Subscriber Profile RADIUS Attributes In order for subscribers to use Proxy Mobile IP, attributes must be configured in their user profile or in an APN for 3GPP service. As mentioned previously, the subscriber profiles can be located either locally on the system or remotely on a RADIUS AAA server. This section provides information on the RADIUS attributes that must be used and instructions for configuring locally stored profiles/apns in support of Proxy Mobile IP. Important Instructions for configuring RADIUS-based subscriber profiles are not provided in this document. Please refer to the documentation supplied with your server for further information. Configuring Subscriber Profile RADIUS Attributes In order for subscribers to use Proxy Mobile IP, attributes must be configured in their user profile or in an APN for 3GPP service. As mentioned previously, the subscriber profiles can be located either locally on the system or remotely on a RADIUS AAA server. This section provides information on the RADIUS attributes that must be used and instructions for configuring locally stored profiles/apns in support of Proxy Mobile IP. Important Instructions for configuring RADIUS-based subscriber profiles are not provided in this document. Please refer to the documentation supplied with your server for further information. 26
27 Configuring Subscriber Profile RADIUS Attributes RADIUS Attributes Required for Proxy Mobile IP The following table describes the attributes that must be configured in profiles stored on RADIUS AAA servers in order for the subscriber to use Proxy Mobile IP. Table 9: Required RADIUS Attributes for Proxy Mobile IP Attribute SN-Subscriber- Permission OR SN1-Subscriber- Permission Indicates the services allowed to be delivered to the subscriber. For Proxy Mobile IP, this attribute must be set to Simple IP. Values None (0) Simple IP (0x01) Mobile IP (0x02) Home Agent Terminated Mobile IP (0x04) SN-Proxy-MIP OR SN1-Proxy-MIP Specifies if the configured service will perform compulsory Proxy-MIP tunneling for a Simple-IP subscriber. This attribute must be enabled to support Proxy Mobile IP. Disabled - do not perform compulsory Proxy-MIP (0) Enabled - perform compulsory Proxy-MIP (1) SN-Simultaneous- SIP-MIP OR SN1-Simultaneous- SIP-MIP SN-PDSN-Handoff- Req-IP-Addr OR SN1-PDSN-Handoff- Req-IP-Addr Indicates whether or not a subscriber can simultaneously access both Simple IP and Mobile IP services. Note Regardless of the configuration of this attribute, the FA facilitating the Proxy Mobile IP session will not allow simultaneous Simple IP and Mobile IP sessions for the MN. Specifies whether or not the system should reject and terminate the subscriber session when the proposed address in IPCP by the mobile does not match the existing address that was granted by the chassis during an Inter-chassis handoff. This can be used to disable the acceptance of as the IP address proposed by the MN during the IPCP negotiation that occurs during an Inter-chassis handoff. This attribute is disabled (do not reject) by default. Disabled (0) Enabled (1) Disabled - do not reject (0) Enabled - reject (1) 27
28 Configuring Subscriber Profile RADIUS Attributes Attribute 3GPP2-MIP-HA-Address This attribute sent in an Access-Accept message specifies the IP Address of the HA. Multiple attributes can be sent in Access Accept. However, only the first two are considered for processing. The first one is the primary HA and the second one is the secondary (alternate) HA used for HA Failover. Values IPv4 Address Configuring Local Subscriber Profiles for Proxy-MIP on a PDSN This section provides information and instructions for configuring local subscriber profiles on the system to support Proxy Mobile IP on a PDSN. configure context <context_name> subscriber name <subscriber_name> permission pdsn-simple-ip proxy-mip allow inter-pdsn-handoff require ip-address mobile-ip home-agent <ha_address> <optional> mobile-ip home-agent <ha_address> alternate ip context-name <context_name> end Verify that your settings for the subscriber(s) just configured are correct. show subscribers configuration username <subscriber_name> Notes: Configure the system to enforce the MN\'s use of its assigned IP address during IPCP negotiations resulting from inter-pdsn handoffs. Sessions re-negotiating IPCP will be rejected if they contain an address other than that which was granted by the PDSN (i.e ). This rule can be enabled by entering the inter-pdsn-handoff require ip-address command. Optional: If you have enabled the Proxy-MIP HA Failover feature, use the mobile-ip home-agent ha_address alternate command to specify the secondary, or alternate HA. Repeat this example as needed to configure additional FA services to support Proxy-MIP. Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference. Configuring Local Subscriber Profiles for Proxy-MIP on a PDIF This section provides instructions for configuring local subscriber profiles on the system to support Proxy Mobile IP on a PDIF. configure context <context-name> 28
29 Configuring Subscriber Profile RADIUS Attributes subscriber name <subscriber_name> proxy-mip require Note subscriber_name is the name of the subscriber and can be from 1 to 127 alpha and/or numeric characters and is case sensitive. Configuring Default Subscriber Parameters in Home Agent Context It is very important that the subscriber default, configured in the same context as the HA service, has the name of the destination context configured. Use the configuration example below: configure context <context_name> ip context-name <context_name> end Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference. Configuring APN Parameters This section provides instructions for configuring the APN templates to support Proxy Mobile IP for all IP PDP contexts they facilitate. Important This is an optional configuration. In addition, attributes returned from the subscriber's profile for non-transparent IP PDP contexts take precedence over the configuration of the APN. These instructions assume that you are at the root prompt for the Exec mode: [local]host_name Enter the configuration mode by entering the following command: configure The following prompt appears: [local]host_name(config) Enter context configuration mode by entering the following command: context <context_name> context_name is the name of the system destination context designated for APN configuration. The name must be from 1 to 79 alpha and/or numeric characters and is case sensitive.the following prompt appears: [<context_name>]host_name(config-ctx) Enter the configuration mode for the desired APN by entering the following command: apn <apn_name> apn_name is the name of the APN that is being configured. The name must be from 1 to 62 alpha and/or numeric characters and is not case sensitive. It may also contain dots (.) and/or dashes (-).The following prompt appears: [<context_name>]host_name(config-apn) Enable proxy Mobile IP for the APN by entering the following command: proxy-mip required 29
30 Configuring Subscriber Profile RADIUS Attributes This command causes proxy Mobile IP to be supported for all IP PDP contexts facilitated by the APN. Optional. GGSN/FA MN-NAI extension can be skipped in MIP Registration Request by entering following command: proxy-mip null-username static-homeaddr This command will enables the accepting of MIP Registration Request without NAI extensions in this APN. Return to the root prompt by entering the following command: end The following prompt appears: [local]host_name Repeat step 1 through step 6 as needed to configure additional APNs. Verify that your APNs were configured properly by entering the following command: show apn { all name <apn_name> } The output is a detailed listing of configured APN parameter settings. Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration. For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference. 30
This chapter includes the following sections: Overview, on page 1 How Proxy Mobile IP Works in 3GPP Network, on page 11
This chapter describes system support for Proxy Mobile IP and explains how it is configured. The product administration guides provide examples and procedures for configuration of basic services on the
More informationFA Service Configuration Mode Commands
FA Service Configuration Mode Commands The Foreign Agent Service Configuration Mode is used to create and manage the Foreign Agent (FA) services associated with the current context. Important The commands
More informationL2TP Access Concentrator
This chapter describes the Layer 2 Tunneling Protocol (L2TP) Access Concentrator (LAC) functionality support on Cisco ASR 5x00 chassis and explains how it is configured. The product Administration Guides
More informationIPSec Network Applications
This chapter describes several methods for implementing IPSec within various network applications. Topics discussed in this chapter include: Implementing IPSec for PDN Access Applications, page 1 Implementing
More informationGGSN Configuration Example
This chapter provides information for configuring the system to function as a Gateway GPRS Support Node (GGSN) in General Packet Radio Service (GPRS) or Universal Mobile Telecommunications System (UMTS)
More informationService Configurations
This chapter describes how to various StarOS services to support IPSec. The following topics are discussed: FA Services Configuration to Support IPSec, page 1 HA Service Configuration to Support IPSec,
More informationConfiguring Security on the GGSN
CHAPTER 12 This chapter describes how to configure security features on the gateway GPRS support node (GGSN), including Authentication, Authorization, and Accounting (AAA), and RADIUS. IPSec on the Cisco
More informationGTP-based S2b Interface Support on the P-GW and SAEGW
GTP-based S2b Interface Support on the P-GW and SAEGW This chapter describes the GTP-based S2b interface support feature on the standalone P-GW and the SAEGW. Feature, page 1 How the S2b Architecture Works,
More informationCrypto Templates. Crypto Template Parameters
This chapter describes how to configure and use StarOS crypto templates. The CLI Crypto Template Configuration Mode is used to configure an IKEv2 IPSec policy. It includes most of the IPSec parameters
More informationOverview of the Cisco Mobile Wireless Home Agent
1 CHAPTER Overview of the Cisco Mobile Wireless Home Agent This chapter illustrates the functional elements in a typical Mobile IP packet data system, the Cisco products that are currently available to
More informationContext Configuration Mode Commands N-R
Context Configuration Mode Commands N-R This section includes the commands nw-reachability server through router service. Important The commands or keywords/variables that are available are dependent on
More informationCisco ASR 5000 Packet Data Interworking Function Administration Guide
Cisco ASR 5000 Packet Data Interworking Function Administration Guide Version 14.0 Last Updated: June 29, 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
More informationCisco ASR 5000 Series Packet Data Interworking Function Administration Guide
Cisco ASR 5000 Series Packet Data Interworking Function Administration Guide Version 12.0 Last Updated April 30, 2011 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706
More informationshow crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2
This chapter includes the command output tables. group summary, page 1 ikev2-ikesa security-associations summary, page 2 ikev2-ikesa security-associations summary spi, page 2 ipsec security-associations,
More informationshow gprs access-point
show gprs access-point show gprs access-point To display information about access points on the GGSN, use the show gprs access-point privileged EXEC command. show gprs access-point {access-point-index
More informationPDSN Service Configuration Mode Commands
Service Configuration Mode Commands The Service Configuration Mode is used to create and manage service instances for the current context. Important The commands or keywords/variables that are available
More informationCrypto Template Configuration Mode Commands
Crypto Template Configuration Mode Commands The Crypto Template Configuration Mode is used to configure an IKEv2 IPSec policy. It includes most of the IPSec parameters and IKEv2 dynamic parameters for
More informationOverview of the Cisco Mobile Wireless Home Agent
CHAPTER 1 Overview of the Cisco Mobile Wireless Home Agent This chapter illustrates the functional elements in a typical CDMA2000 packet data system, the Cisco products that are currently available to
More informationL2TP Network Server. LNS Service Operation
This chapter describes the support for Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) functionality on Cisco ASR 5500 chassis and explains how it is configured. The product Administration Guides
More informationOverview of the Cisco Mobile Wireless Home Agent
CHAPTER 1 Overview of the Cisco Mobile Wireless Home Agent This chapter illustrates the functional elements in a typical Mobile IP packet data system, the Cisco products that are currently available to
More informationCrypto Template Configuration Mode Commands
The Crypto Template Configuration Mode is used to configure an IKEv2 IPSec policy. It includes most of the IPSec parameters and IKEv2 dynamic parameters for cryptographic and authentication algorithms.
More informationSome optimizations can be done because of this selection of supported features. Those optimizations are specifically pointed out below.
IKEv2 and Smart Objects (Tero Kivinen ) 1.0 Introduction This document tells what minimal IKEv2 implementation could look like. Minimal IKEv2 implementation only supports initiator end
More informationAssigning a Home Address on the Home Agent
CHAPTER 4 This chapter discusses how the Cisco Mobile Wireless Home Agent assigns home addresses to a mobile node, the different address types, and provides configuration details and examples. This chapter
More informationConfiguring GTP Services on the GGSN
CHAPTER 3 This chapter describes how to configure a gateway GPRS service node (GGSN) and how to configure GPRS tunneling protocol (GTP) options. For complete description of the GGSN commands in this chapter,
More informationContext Configuration Mode Commands A-D
Context Configuration Mode Commands A-D This section includes the commands aaa accounting through domain service. Command Modes Exec > Global Configuration > Context Configuration configure > context context_name
More informationDynamic Domain Name Server Updates
CHAPTER 9 This chapter discusses DNS update methods and Server Address assignment, and provides configuration details of those features. This chapter contains the following sections: IP Reachability, page
More informationWireless Support. Mobile Node-Home Agent Shared Key. Use Case Example CHAPTER
CHAPTER 19 This chapter provides the following information about using Cisco Prime Access Registrar (Prime Access Registrar) for wireless support: Mobile Node-Home Agent Shared Key 3GPP2 Home Agent Support
More informationCisco Packet Data Serving Node (PDSN) Release 1.2
Cisco Packet Data Serving Node (PDSN) Release 1.2 Feature History Release 12.2(8)BY 12.2(8)ZB 12.2(8)ZB1 12.2(8)ZB5 12.2(8)ZB6 12.2(8)ZB7 12.2(8)ZB8 12.3(4)T Modification This feature was introduced on
More informationip mobile mobile-networks through multi-path (mobile router)
ip mobile mobile-networks through multi-path (mobile router) ip mobile mobile-networks, on page 3 ip mobile prefix-length, on page 5 ip mobile proxy-host, on page 6 ip mobile radius disconnect, on page
More informationConfiguring IPv6 PDP Support on the GGSN
CHAPTER 5 This chapter describes how to configure support for Internet Protocol Version 6 (IPv6) packet data protocol (PDP) contexts on a Cisco Gateway GPRS Support Node (GGSN). For complete descriptions
More informationCall Flows for 3G and 4G Mobile IP Users
This chapter provides various call flows for 3G and 4G mobile IP users, and contains the following sections: Finding Feature Information, on page 1 3G DHCP Discover Call Flow, on page 1 4G DHCP Discover
More informationUnderstanding the authentication imsi-auth msisdn-auth Configuration for Corporate L2TP APNs
Understanding the authentication imsi-auth msisdn-auth Configuration for Corporate L2TP APNs Contents Introduction Problem: The msisdn-auth and imsi-auth APN Configuration Options have a Speciffic (non
More informationshow aaa servers sg show aaa servers sg sg-name Syntax Description
show aaa servers sg show aaa servers sg To display counters (information about the number of packets sent to and received from authentication, authorization, and accounting [AAA] servers) for all the servers
More informationepdg Administration Guide, StarOS Release 16
epdg Administration Guide, StarOS Release 16 Last Updated: July 31, 2014 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
More informationUnderstand iwag Solution for 3G Mobile Data
Understand iwag Solution for 3G Mobile Data Contents Introduction Prerequisites Requirements Components Used Background Information Acronyms Explanation of Terminology Used Understand Mobility Services
More information1xEV-DO Inter-Operability Specification (IOS) for CDMA 2000 Access Network Interfaces
June, 00 SP--000 (TIA/EIA/IS-) xev-do IOS Ballot Version GPP A.S000 Ballot Version Date: June, 00 xev-do Inter-Operability Specification (IOS) for CDMA 000 Access Network Interfaces Release 0 (Ballot Version)
More informationMAG Service Configuration Mode Commands
MAG Service Configuration Mode Commands The MAG Service Configuration Mode is used to create and manage a Mobility Access Gateway service in an (ehrpd network) or a P-MIP S-GW (LTE-SAE network). The MAG
More informationMonitoring Mobile Technologies
26 CHAPTER The following topics provide an overview of mobile technologies and describe how to work with mobile technologies in Prime Network Vision: User Roles Required to Work with Mobile Technologies,
More informationAAA Server Group Configuration Mode Commands
AAA Server Group Configuration Mode Commands The AAA Server Group Configuration Mode is used to create and manage the Diameter/RADIUS server groups within the context or system. AAA server group facilitates
More informationshow session subsystem facility aaaproxy all, page 61 show session subsystem facility asnpcmgr all, page 64
This chapter describes the output of the command variants. counters historical all, page 2 disconnect-reasons, page 3 disconnect-reasons buckets, page 3 disconnect-reasons verbose, page 4 progress, page
More informationThis chapter provides configuration information for the HRPD Serving Gateway (HSGW).
This chapter provides configuration information for the HRPD Serving Gateway (HSGW). Important Information about all commands in this chapter can be found in the Command Line Interface Reference. Because
More information3GPP TR v0.4.0( )
3GPP TR 23.827 v0.4.0(2007-09) Feasibility Study of Mobility between 3GPP-WLAN Interworking and 3GPP System (Release 8) Report: 易衛漢 2008/11/18 Non Roaming WLAN Inter-working Reference Model 3GPP Home Network
More informationThis chapter provides configuration information for the HRPD Serving Gateway (HSGW).
This chapter provides configuration information for the HRPD Serving Gateway (HSGW). Important Information about all commands in this chapter can be found in the Command Line Interface Reference. Because
More informationConfiguring QoS on the GGSN
CHAPTER 9 This chapter describes how to configure Quality of Service (QoS) functions to differentiate traffic flow through the GGSN. For a complete description of the GGSN commands in this chapter, refer
More informationPre-paid Billing. Overview. 3GPP2 Standard Pre-paid Billing Overview
This chapter provides information on configuring an enhanced, or extended, service. The product administration guides provides examples and procedures for configuration of basic services on the system.
More informationASR5x00 Series: IP Allocation Failure Upon PDP Request Creation
ASR5x00 Series: IP Allocation Failure Upon PDP Request Creation Document ID: 119150 Contributed by Karuna Jha, Cisco TAC Engineer. Jul 14, 2015 Contents Introduction Problem Root Cause Solution Introduction
More informationRouting Behind the Mobile Station on an APN
Feature Description How It Works The routing behind the Mobile Station(MS) feature enables the routing of packets to IPv4 addresses that do not belong to the PDN Session (the MS), but exist behind it.
More informationCisco ASR 5000 Series Small Cell Gateway
Data Sheet Cisco ASR 5000 Series Small Cell Gateway Mobile subscribers want access to the network at home, work, hotspots, and everywhere in between. This requires mobile operators to expand their service
More informationP-GW Service Configuration Mode Commands
P-GW Service Configuration Mode Commands The P-GW (PDN Gateway) Service Configuration Mode is used to create and manage the relationship between specified services used for either GTP or PMIP network traffic.
More information3GPP TS V9.4.0 ( )
TS 24.303 V9.4.0 (2011-09) Technical Specification 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Mobility management based on Dual-Stack Mobile IPv6; Stage
More informationConfiguring Dynamic Addressing on the GGSN
CHAPTER 11 This chapter describes how to configure dynamic IP addressing on the gateway GRPS support node (GGSN). The tasks in this chapter apply to IPv4 PDP contexts only. For information on IPv6 addressing,
More informationIP Services Gateway Overview
This chapter provides an overview of the IP Services Gateway (IPSG) product. This chapter covers the following topics: Introduction, page 1 How it Works, page 2 In-line Services, page 4 Enhanced Feature
More informationSupported AVPs in DCCA Messages
CHAPTER B The following sections of this appendix list the vendor-specific attribute value pairs (AVPs) supported by the Cisco GGSN in Diameter Credit Control Application (DCCA) Credit-Control-Request
More informationETSI TS V ( )
TS 124 303 V8.10.0 (2017-07) TECHNICAL SPECIFICATION Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Mobility management based on Dual-Stack
More informationTraffic Policing and Shaping
This chapter describes the support of per subscriber feature on Cisco's Chassis and explains the commands and RADIUS attributes that are used to implement this feature. The product Administration Guides
More information3GPP TS V9.0.0 ( )
TS 29.161 V9.0.0 (2009-12) Technical Specification 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Interworking between the Public Land Mobile Network (PLMN)
More informationVirtual Private Networks
EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,
More informationNetwork PMIP Support COPYRIGHT. 3GPP2 X.S Version 1.0 Date: December 5, 2008
GPP X.S00-0 Version.0 Date: December, 00 COPYRIGHT GPP and its Organizational Partners claim copyright in this document and individual Organizational Partners may copyright and issue documents or standards
More informationCongestion Control. Overview. This chapter describes the Congestion Control feature. It covers the following topics:
This chapter describes the feature. It covers the following topics: Overview, page 1 Configuring, page 2 Overview monitors the system for conditions that could potentially degrade performance when the
More informationConfiguring Dynamic Addressing on the GGSN
CHAPTER 13 This chapter describes how to configure dynamic IP addressing on the gateway GRPS support node (GGSN). Note Dynamic IP addressing is not supported for IPv6 and PPP PDP types. Therefore, the
More informationGGSN Service Configuration Mode Commands
Service Configuration Mode Commands The Gateway GPRS Support Node () Configuration Mode is used to create and manage services within the current context. Important The commands or keywords/variables that
More informationP-GW Service Configuration Mode Commands
Service Configuration Mode Commands The (PDN Gateway) Service Configuration Mode is used to create and manage the relationship between specified services used for either GTP or PMIP network traffic. Exec
More informationRADIUS Attributes. RADIUS IETF Attributes
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS
More informationTS-3GB-P.S0001-Av3.0 Wireless IP Network Standard
TS-GB-P.S000-Av.0 Wireless IP Network Standard Aug, 00 THE TELECOMMUNICATION TECHNOLOGY COMMITTEE TS-GB-P.S000-Av.0 Wireless IP Network Standard . Application level of English description Application
More informationepdg Changes in Release 21.1
This chapter identifies features and functionality added to, modified for, or deprecated from epdg in the StarOS 21.1 software release. The following identifies all of the epdg enhancements included in
More informationMTC Congestion Control
The SGSN\'s MTC (mobile type communications) Congestion Control feature implements General NAS-level congestion control and APN-based congestion control for both Session Management (SM) and Mobility Management
More informationDHCP Service Configuration Mode Commands
DHCP Service Configuration Mode Commands The Dynamic Host Control Protocol (DHCP) Configuration Mode is used to create and manage DHCP service instances for the current context. The commands or keywords/variables
More informationegtp Service Configuration Mode Commands
The egtp Service Configuration Mode is used to create and manage Evolved GPRS Tunneling Protocol (egtp) interface types and associated parameters. Command Modes Exec > Global Configuration > Context Configuration
More informationDiameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026.
AAA Working Group Pat R. Calhoun Internet-Draft Black Storm Networks Category: Standards Track William Bulley Merit Network, Inc. Allan C. Rubens Tut Systems, Inc.
More informationthus, the newly created attribute is accepted if the user accepts attribute 26.
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS
More informationCDMA IP. FMC WiMAX LTE L2TP Billing Policy DPI SPIRENT TEST SCENARIOS LANDSLIDE.
IPSec AAA Mobile CDMA GPRS UMTS IMS IP 2000 FMC WiMAX LTE L2TP Billing Policy DPI SPIRENT TEST SCENARIOS www.spirent.com Spirent Communications: Sharing Industry Expertise Advancing Next-Generation Communication
More informationHSS and PCRF Based P-CSCF Restoration Support
This feature enables support for HSS-based and PCRF-based P-CSCF restoration that helps to minimize the time a UE is unreachable for terminating calls after a P-CSCF failure. Feature Description, page
More informationPolicy Control Configuration Mode Commands
Policy Control Configuration Mode Commands Policy Control Configuration mode is used to configure the Diameter dictionary, origin host, host table entry and host selection algorithm for IMS Authorization
More informationDirect Tunnel for 4G (LTE) Networks
This chapter briefly describes support for direct tunnel (DT) functionality over an S12 interface for a 4G (LTE) network to optimize packet data traffic. Cisco LTE devices (per 3GPP TS 23.401 v8.3.0) supporting
More informationMIP4 Working Group. Generic Notification Message for Mobile IPv4 draft-ietf-mip4-generic-notification-message-16
MIP4 Working Group Internet-Draft Intended status: Standards Track Expires: April 28, 2011 H. Deng China Mobile H. Levkowetz Netnod V. Devarapalli WiChorus S. Gundavelli Cisco Systems B. Haley Hewlett-Packard
More informationOperator Policy. What Operator Policy Can Do. A Look at Operator Policy on an SGSN
The proprietary concept of an operator policy, originally architected for the exclusive use of an SGSN, is non-standard and currently unique to the ASR 5x00. This optional feature empowers the carrier
More informationRADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values First Published: September 23, 2005 Last Updated: August 18, 2010 The Internet Engineering Task Force (IETF) draft standard
More informationMobile IP. rek. Petr Grygárek Petr Grygarek, Advanced Computer Networks Technologies 1
Mobile IP Petr Grygárek rek 1 Basic principle Picture from IOS IP and IP Routing Configuration Guide Mobile node maintains the same IP address even while roaming in foreign networks even if it s address
More informationOverview of GPRS and UMTS
CHAPTER 1 This chapter briefly introduces the 2.5G general packet radio service (GPRS) and the 3G Universal Mobile Telecommunications System (UMTS) technologies, and their implementation in Cisco Gateway
More informationIPSec Transform Set Configuration Mode Commands
IPSec Transform Set Configuration Mode Commands The IPSec Transform Set Configuration Mode is used to configure IPSec security parameters. There are two core protocols, the Authentication Header (AH) and
More informationConfiguring Network Access to the GGSN
CHAPTER 7 This chapter describes how to configure access from the gateway GPRS support node (GGSN) to a serving GPRS support node (SGSN), public data network (PDN), and optionally to a Virtual Private
More informationThis chapter describes the support of Non-IP PDN on P-GW and S-GW.
This chapter describes the support of Non-IP PDN on P-GW and S-GW. Feature Summary and Revision History, page 1 Feature Description, page 2 How It Works, page 2 Configuring Non-IP PDN, page 8 Monitoring
More informationCisco PDSN Command Reference for IOS Release 12.4(15)XN
Cisco PDSN Command Reference for IOS 12.4(15)XN This section lists new and revised commands pertaining to the PDSN software. All other commands used with this feature are documented in the Cisco IOS 12.3
More informationthus, the newly created attribute is accepted if the user accepts attribute 26.
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS
More informationOverview of GPRS and UMTS
CHAPTER 1 This chapter briefly introduces the 2.5G General Packet Radio Service (GPRS) and the 3G Universal Mobile Telecommunications System (UMTS) technologies, and their implementation in Cisco Gateway
More informationcdma2000 Wireless IP Network Standard: Accounting Services and 3GPP2 RADIUS VSAs
GPP X.S00-00-C Version:.0.0 Date: August 00 cdma000 Wireless IP Network Standard: Accounting Services and GPP RADIUS VSAs COPYRIGHT GPP and its Organizational Partners claim copyright in this document
More informationMultimedia Broadcast and Multicast Service
This chapter provides information on (MBMS) functionality on GGSN. The product Administration Guides provide examples and procedures for configuration of basic services on the system. It is recommended
More information3GPP TS V8.4.0 ( )
TS 23.327 V8.4.0 (2009-09) Technical Specification 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Mobility between -Wireless Local Area Network (WLAN) interworking
More informationPart II. Raj Jain. Washington University in St. Louis
Part II Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/ 19-1 Overview
More informationSaMOG Gateway Offline Charging
The SaOG Gateway supports generation of CDR files for offline charging. In Offline Charging, charging information is collected concurrently with resource usage and passed through a chain of logical charging
More informationOperation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents
Table of Contents Table of Contents... 1-1 1.1 AAA/RADIUS/HWTACACS Over... 1-1 1.1.1 Introduction to AAA... 1-1 1.1.2 Introduction to RADIUS... 1-3 1.1.3 Introduction to HWTACACS... 1-9 1.1.4 Protocols
More informationConfiguring IKEv2 Fragmentation
The IKE Fragmentation adhering to RFC feature implements fragmentation of Internet Key Exchange Version 2 (IKEv2) packets as proposed in the IETF draft-ietf-ipsecme-ikev2-fragmentation-10 document. Finding
More informationL2TP over IPsec. About L2TP over IPsec/IKEv1 VPN
This chapter describes how to configure /IKEv1 on the ASA. About /IKEv1 VPN, on page 1 Licensing Requirements for, on page 3 Prerequisites for Configuring, on page 4 Guidelines and Limitations, on page
More informationETSI TS V ( )
TS 124 303 V14.0.0 (2017-03) TECHNICAL SPECIFICATION Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Mobility management based on Dual-Stack
More informationETSI TS V ( )
TS 124 303 V10.7.0 (2013-07) Technical Specification Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Mobility management based on Dual-Stack
More informationPPP configuration commands
Contents PPP configuration commands 1 ip address ppp-negotiate 1 ip pool 1 link-protocol ppp 2 ppp authentication-mode 2 ppp chap password 4 ppp chap user 5 ppp ipcp remote-address forced 5 ppp pap local-user
More informationGGSN CDR Field Descriptions
This chapter describes the CDR fields supported by the system for use in GGSN-CDRs (G-CDRs) and enhanced G-CDRs (eg-cdrs). The following information is provided for each field: Description: The field's
More informationThe EN-4000 in Virtual Private Networks
EN-4000 Reference Manual Document 8 The EN-4000 in Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission
More informationL2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application
Table of Contents L2TP Configuration 1 L2TP Overview 1 Introduction 1 Typical L2TP Networking Application 1 Basic Concepts of L2TP 2 L2TP Tunneling Modes and Tunnel Establishment Process 4 L2TP Features
More informationRADIUS Dictionaries and Attribute Definitions
This chapter presents information on RADIUS dictionary types and attribute definitions. RADIUS Dictionaries, page 1 RADIUS Attribute Notes, page 3 RADIUS AVP Definitions, page 3 RADIUS Dictionaries This
More information